GPSOLO July/August 2007

In today’s environment, transacting financial business on the Internet seems as risky as walking unarmed and alone through a no-man’s-land in Iraq. With care and a lot of luck, you could come through unscathed with your assets intact . . . but then again, you might not. Indeed, your risk is increasing. Gartner, Inc., an independent research firm, has reported that some 15 million Americans were victimized by identity theft in 2006-a 50 percent increase over 2003. The crime is not limited to the United States but is proliferating across the globe.

During the past 18 months, more than 150 million records containing sensitive personally identifiable information (PII) about American consumers have been compromised by theft, loss, or improper disposal. The failures are not limited to the business world. Since the beginning of 2003, there have been almost 800 incidents at federal agencies involving the loss or compromise of PII. For years, both state and federal agencies have been posting PII about individuals on their websites or making it available for download for a nominal fee.

The massive database breach at TJX (parent company to T.J. Maxx, Marshalls, HomeGoods, and other retailers) has put the entire issue of data collection and storage under a magnifying glass. Finding and exploiting a wireless hole in the TJX security system, data thieves were able to systematically obtain personally identifiable information on 45.7 million consumers who shopped at TJX stores during a period of several years. Cases of fraud owing to the TJX breach have been reported from all corners of the world. While a number of arrests have been made in the case, the data still is at large and is being exploited. The breach affected consumers across the United States, Puerto Rico, and Canada, but it had a disproportionate impact in New England. According to the New Hampshire Bankers Association, 20 to 30 percent of all New Englanders may have had their information exposed.

The problem is exacerbated by the fact that many businesses, governmental agencies, and educational institutions require that we provide them with our sensitive PII in order to deal with them, and then not only fail to protect it but even disclose it in inane ways if they don’t sell it outright. For example, just last December, more than 171,000 tax forms were mailed by the Wisconsin Department of Revenue with the addressees’ Social Security Numbers printed on the mailing labels. Starting in 2004, anyone with six dollars and an Internet connection could buy public documents from the California Secretary of State with the names, addresses, Social Security Numbers, and often signatures of people who had applied for secured loans, until the practice was halted earlier this year. Adding insult to injury, a bill was introduced in the Texas legislature earlier this year to exempt public agencies from the obligation to redact sensitive PII from public records before they are made available to the public, because the job of redacting that information is simply too onerous.

Even health care providers demand this information. Can you remember ever completing a patient intake form at your doctor or dentist that didn’t ask for your Social Security Number, driver’s license number, spouse’s name and address, employer’s name and address, and other information having no real bearing on the services you were seeking? Is it any wonder that medical identity theft is the fastest-growing segment of this crime?

Although paper-free (electronic) transactions still are considered safer, the spate of database breaches has made consumers gun-shy. A recent national survey concluded that 30 percent of consumers polled are limiting their online purchases, and 24 percent are cutting back on their online banking, owing to fears about their identities being stolen online, even though the risk of data theft during an online transaction is minimal and can be controlled by the consumer.

Legislation

Legislative responses have been mixed. Following California’s lead, 34 states now have enacted statutes mandating consumer notification in the event of a compromise, but the mandates are not uniform. Data brokers and the business community, among others, have been seeking federal legislation to both preempt the patchwork quilt of state statutes and to provide them with "Safe Harbor" exemptions from the obligation to notify consumers, such as a determination by the entity whose data was compromised that there is "no significant risk that the security breach has resulted in, or will result in, harm to the individuals whose sensitive personally identifiable information was subject to the security breach."

Given the self-interest involved, such an exemption would be like asking the fox guarding the henhouse to assess the risk that he’s going to eat some of the chickens. The exemption nonetheless found its way into Senator Dianne Feinstein’s bill, the Notification of Risk to Personal Data Act of 2007, introduced in January (S. 239, 3(b)(1)). Under the bill, a claim of exemption can be countermanded by the Secret Service if it determines that notice nonetheless should be given to consumers (S. 239, 3(b)(3)). Given the number of breaches and the ten-day time frame for the Secret Service to make such a determination, the likelihood of the Secret Service’s ever countermanding such a claim of exemption is at best suspect. On May 3, the Senate Judiciary Committee not only approved the bill but added its notification provisions to the Personal Data Privacy and Security Act of 2007 (S. 495) introduced in February by Sens. Patrick Leahy, Arlen Specter, Russ Feingold, Chuck Schumer, and Bernie Sanders, which also was approved. These bills both would preempt state law except in those exceptionally rare instances where only intrastate commerce is involved. They may reach the floor of the Senate by the time this article is published.

Federal legislation has yet to address underlying causes, although the Leahy bill is taking a step in that direction. For example, a significant amount of identity fraud occurs when thieves steal preapproved credit cards, blank credit-line checks, or ordinary blank checks from victims’ mailboxes. Even more fraud occurs when thieves hack into financial services companies’ information systems or steal computers. The Leahy bill would impose comprehensive data privacy and security requirements, "appropriate to the size and complexity of the business entity and the nature and scope of its activities," on businesses engaging in interstate commerce, if the interstate activities involve collecting, accessing, transmitting, using, storing, or disposing of sensitive PII in electronic or digital form on 10,000 or more United States persons, unless the business entity already is subject to the Gramm-Leach-Bliley Act or HIPAA or the information is "the release of a public record, or information derived from a single public record, not otherwise subject to confidentiality or nondisclosure requirement, or information obtained from a news report or periodical" (S. 495, 3(10)(B)(ii)). The bill would authorize the Federal Trade Commission (FTC) to adopt regulations specifying the nature and extent of those data privacy and security requirements. Violations of these requirements would be subject to civil penalties of up to $5,000 per day per violation, capped at $500,000 per violation-doubled for willful violations.

If this bill passes in its present form, which exempts from data privacy and security requirements all businesses handling sensitive PII on fewer than 10,000 U.S. persons, Congress will be sending a negative message to consumers-deal with small businesses at your own risk. Moreover, by capping the civil penalties at a level less than the potential losses suffered by consumer victims and precluding a private right of action, businesses will have minimal economic incentive to comply. Experts in the field suggest that Congress should pass laws barring federally regulated financial institutions from sending pre-approved credit cards and credit-line checks through the mail, as well as laws imposing tough penalties on financial institutions that allow their weak database defenses to be hacked. Were Congress to do so, perhaps fewer people would be victimized by identity thieves.

Yet another bill has been introduced by Sen. Daniel Inouye: the Identity Theft Prevention Act (S. 1178). This bill is broader than the Leahy bill in its coverage-the Inouye bill’s "covered entries" include any non-governmental person or entity. It would preempt state law as to data security and breach notification requirements and would require a covered entity to develop, implement, maintain, and enforce a written program for the security of sensitive personal information the entity collects, maintains, sells, transfers, or disposes of, containing administrative, technical, and physical safeguards (1) to ensure the security and confidentiality of such data; (2) to protect against any anticipated threats or hazards to the security or integrity of such data; and (3) to protect against unauthorized access to, or use of, such data that could result in substantial harm to any individual, unless the covered entity already complies with the FTC’s Standards for Safeguarding Customer Information and Disposal of Consumer Report Information and Records. (S. 1178, 2.) The bill also would require notice to the FTC or other federal regulator and to all consumer credit reporting agencies before giving notice of a data compromise to affected consumers. If the entity determines there is "a reasonable risk of identity theft" and there are more than 1,000 affected individuals, notice to consumers would be required; if fewer, only notice to the FTC or other federal regulator would be required. The bill also authorizes credit freezes by any consumer, not just victims of identity theft, on the consumer’s credit bureau files. Introduced April 20, 2007, the bill was referred to the Senate Committee on Commerce, Science, and Transportation, which reported the bill out favorably with amendments to be presented on the floor.

Indications are that all three bills are the subject of conferences among the sponsors and other interested parties and likely would not come to the Senate floor until after the Memorial Day recess. Given the historic inability of Congress to pass analo–gous bills, the future of this legislation is uncertain.

In an attempt to fill this vacuum, state legislatures have been responding. By way of example:

California, the leader in this area, already requires any business that owns or licenses PII about a California resident and is not otherwise regulated by the California Confidentiality of Medical Information Act, the California Financial Information Privacy Act, HIPAA, or another state or federal law providing greater protection to "implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure" (Cal. Civ. Code 1798.81.5). This requirement supplements the well–known requirements of California law for consumer notification of data compromises (Cal. Civ. Code 1798.82). A violation of either of those statutory provisions entitles an injured consumer to sue for damages and injunctive relief. (Cal. Civ. Code 1798.84).

Among other bills in this area, the Massachusetts legislature currently is considering bills that would make companies liable for damages resulting from the companies’ failures to make proper notification of data breaches to consumers (House Bill 4018; Senate Bill 2236).

If Congress fails to act or fails to preempt the area, we can expect further state legislation in this area.

Remedies

All of this provides cold comfort to victims of identity theft. Except in the most egregious cases, the loss to an individual victim simply is too small to interest contingent fee lawyers. There are significant obstacles to class–action approaches, including the fact that an instance of actual identity theft resulting from a data breach or compromise may take years to arise, while another instance may occur in short order. Although most jurisdictions may impose a restitution requirement as part of a sentence after conviction, the perpetrator first must be identified and caught. Even then, restitution is difficult, if not impossible, to pay when one is behind bars. A review of the consumer cases against TJX provides some insight into the claims that have been asserted. Only time will tell whether these claims will survive pretrial proceedings and trial.

At least six separate consumer class action suits have been filed against TJX in the federal district court in Boston. All cases have been consolidated under the name In re TJX Companies Retail Security Breach Litigation and docketed under Master Docket No. 07–CV–10162–WGY. (Another case, McMorris v. TJX Companies, alleging negligence and violation of Massachusetts state statutes, was filed in Massachusetts state court, removed to the district court, and consolidated.) The original complaint in the lead case alleged merely a negligence claim. The amended complaint, filed May 9 on behalf of all "consumer track" plaintiffs, alleges claims based on

negligence in the face of the Payment Card Industry (PCI) Data Security Standards, card operating regulations imposed by card issuers (CORs) such as VISA and MasterCard, and widespread reports of other data breaches;

breach of contract on the theory that the consumers were third–party beneficiaries of TJX’s contractual obligations to its bank, and/or TJX and the bank’s contractual obligations to card processors, under the PCI Data Security Standards and the CORs;

breach of an implied contract to safeguard the plaintiffs’ PII and to notify the plaintiffs promptly of any data breach; and

unfair trade practices under Massachusetts law.

California cases include one filed in Los Angeles Superior Court, Lemley v. TJX Companies, Inc., Case No. BC365384, which was removed to the Central District of California, remanded, and again removed, where it is pending as Case No. 2007–CV–02168; this case asserts claims based on negligence, common law bailment of the consumers’ PII, breach of contract on the same theories as in the Boston cases, and violation of the California Unfair Business Practices Act. Another case was filed in the Central District of California: Clark v. TJX Companies, Inc., Case No. 2006–CV–08135; this case asserts claims based on alleged violations of the Fair Credit Reporting Act. Interestingly, neither of these cases asserts a claim under the California data security statute.

Where banks have been the victims, incurring substantial expenses for replacement of customers’ credit cards (reportedly as much as $25 per card), refunding unauthorized charges incurred by the thieves, and other damages, they are starting to take action. "Protecting consumers is our number–one priority," said Lindsey Pinkham, senior vice president of the Connecticut Bankers Association, in a written statement. "However, retail data breaches are getting larger and more frequent and we cannot continue to absorb the costs." In the TJX matter, according to a prepared statement by the Massachusetts Bankers Association, "there have been dramatic costs to financial institutions in the effort to protect cardholders" as a result of the data breach. Therefore, in late April, the Massachusetts Bankers Association, representing 207 member banks, joined by the Connecticut Bankers Association, the Maine Association of Community Banks, and several individual banks, filed a class action against TJX in the federal district court in Boston, which was by prior order consolidated into In re TJX Companies Retail Security Breach Litigation. Although the complaint is not yet available online, press reports indicate that the gravamen of the bank case is TJX’s violations of the PCI Data Security Standards and the CORs.

Press reports also state that Canadian law firm Merchant Law Group has filed class–action lawsuits in six Canadian provinces against Winners and HomeSense, two TJX–owned retailers in Canada, and that a woman in Virginia filed a class–action lawsuit against TJX over what she said was the company’s refusal to offer credit monitoring services for affected customers.

The TJX cases, however, may result in "bad facts making bad law." There are many approaches to protecting data, including data auditing, data monitoring, encryption, data leakage prevention, endpoint monitoring, and others. What is the right mix of approaches for any one company to take? There is no agreement by the data protection industry other than a consensus that each company has to choose for itself, based on its own circumstances, as they evolve. What should the consequences be if a company, with the clarity of hindsight, has made the wrong choice? Bankruptcy may permit a company to survive, but it affords no benefit to the victims of the company’s inaccurate choices.

Self–Protection

The best consumers can do is to be vigilant, be informed, and take the steps necessary to protect themselves. Consumers shouldn’t provide sensitive personal or financial information unless there is a good reason to do so, or the law requires it. Whether a business or a government agency is demanding your data, be suspicious. As a former FBI agent says,

You have to be skeptical. Ask them, why do you need this information? What are you going to use it for? How will you store it? When and how will you destroy it? Nine times out of ten, they don’t really need it in the first place-and even if they do, you have a right to know what they’re going to do with it.

In addition to asking questions, look at the company’s privacy policy, which should include written disclosures about these matters. (See the sidebar, "Privacy Policies," on page 51.) If you are not satisfied, take your business elsewhere, and tell your friends that you are doing so and why. The power of the purse is compelling. If unsatisfactory or nonexistent data security policies and practices cost a business the patronage of its customers or cost a health care provider the patronage of its patients, these policies and practices will change or the enterprise will not long survive.

At the same time, don’t shoot yourself in the foot by disclosing to strangers the very information you want the businesses and health care providers you patronize to protect. Use a locking mailbox or pick up your mail at the post office. Post your outgoing mail in a blue USPS mailbox or, better yet, in the slot inside your local post office. Shred everything you dispose of using a fine cross–cut or confetti shredder as a matter of policy, so that you don’t inadvertently toss something sensitive into the trash where it can be retrieved by a dumpster diver. Transmit nothing over an unsecured wireless connection and even then ensure that your transmission is encrypted. Make sure that everyone who works for you does the same things, and fire them without remorse if they don’t. Never click on a link in an e–mail message that appears to come from one of the financial services providers (banks, credit card issuers, department stores, etc.) that you patronize online, even if the e–mail appears to be genuine. Take the time, instead, to type the address manually into your browser to avoid falling victim to a phishing expedition.

Our grandmothers and great–grandmothers were right when they taught us that an ounce of prevention is worth a pound of cure. We are lawyers, and it is our business to sue people who wrong us. As we all know all too well, however, even if you can identify, locate, and serve the perpetrator(s), litigation is an expensive and time–consuming process, best avoided by a bit of prophylaxis.

Remediation and Resources

If you become a victim of identity theft, there are resources available to you to assist you in resolving the theft. Many insurance companies are offering full identity theft resolution services as part of or endorsements to their property and casualty policies; some also are adding the endorsements to their other policies. Check your policy; if the coverage is not there, check with your carrier. If your carrier does not offer identity theft resolution services, consider changing carriers to one that does. Avoid stand–alone "identity theft insurance" offered by some companies; their coverage is largely illusory, as the claims payment histories demonstrate.

If you have no coverage when you become the victim of identity theft, however, there still are resources to assist you in resolving the matter. The Privacy Rights Clearinghouse has a detailed list of actions to take posted on its website at www.privacyrights.org/fs/fs17a.htm. The FTC also has resources on its website: www.ftc.gov/bcp/edu/microsites/idtheft. Finally, there is a wealth of information posted on Identity Theft 911’s consumer education website, www.identitytheft911.org/home.htm. All you need is a computer and an Internet connection.

PRIVACY POLICIES

Always examine a company’s or agency’s privacy policy before transmitting sensitive personally identifiable information (PII) to it. You usually will find it by clicking on the link entitled "privacy policy" at the bottom of the home page. Some are short and sweet. Some are lengthy and convoluted.

Some states, such as California, require all businesses with an online presence (Cal. Bus. & Prof. Code 22575) and government agencies (Cal. Gov’t Code 11019.9) that collect PII to adopt and post a privacy policy. Many privacy policies also include complex provisions about information sharing for direct marketing purposes. As a general rule, if a privacy policy is adopted, it must be adhered to without deviation. Failure to do so is deemed an unfair business practice in violation of Section 5 of the FTC Act, which can be enjoined and which may expose the offending entity to civil penalties.

Some websites include information about their data security practices in their privacy policies; others may provide that information separately under a link entitled "security" or "security and protection." If the website is silent on the subject, assume that there is none until such time as you otherwise satisfy yourself by contacting the chief privacy officer or the chief information officer of the provider. Remember that encryption of data transmitted between your computer(s) and the provider’s server(s) says nothing about the security of the data either on your computer(s) or once it arrives at the provider.

J. Anthony Vittal, the original general counsel of Identity Theft 911, LLC, is in private practice with The Vittal Law Firm based in Los Angeles, California, and is a member of the GPSolo Technology & Practice Guide Editorial Board. He may be reached at tony.vittal@abanet.org.